Observers might be tempted to conclude that the abrupt drop in exploit kit activity in June means a diminished threat from drive-by malvertising attacks. But as we detail in our research blog, that would be a mistake.
Far from going gently into that good night, malvertising campaigns continue to evolve and adapt. A campaign we’ve dubbed AdGholas ran for more than a year and pulled in as many as 1 million victims per day before being shut down after we alerted ad networks this month.
As AdGholas proves, attackers continue to evolve their techniques to remain stealthy and effective against the latest defensive advances.
Exploit kits (EKs) are the primary tools used by threat actors to target users with so-called "drive-by" downloads. When web surfers navigate to a compromised site using a vulnerable computer, the EK can immediately download a variety of malware without their knowledge. Malvertising, the practice of embedding malware and links to compromised websites in online ads, is one of the biggest drivers of traffic to exploit kits. Large black-market ecosystems support the practice.
EK traffic dropped off precipitously in the second quarter of this year. Some wondered where the change would leave malvertisers.
Recent research by our analysts and collaborators at Trend Micro shows that malvertising is alive and well. As we detailed in this blog post, malvertising actors are growing even more sophisticated and innovative. AdGholas infected thousands of users by the day.
Malvertising leverages legitimate ad networks and often dubious referral networks to display advertising across a wide range of web properties.
Among other factors, AdGholas carefully targeted malicious ads and filtered their impressions based on the victim’s PC language settings, time zone, and even whether the PC was OEM-branded. The latter made it more likely that an "average user" would be targeted.
Figure 1: Targeting OEM-branded PCs
AdGholas has been using these techniques and advertising/referral networks since 2015. In addition to precise targeting, it uses carefully cloned websites to evade detection (Figure 2).
Figure 2: AdGholas campaign using a cloned website to avoid detection
AdGholas has used multiple domains throughout its ongoing campaigns. But the bigger story is the sheer scale of its operations. Proofpoint researchers estimate that the referral networks, which comprise more than 20 different ad agencies and ad exchange platforms, supplied 1 to 5 million "high-quality" referrals per day. A high-quality referral is someone likely to click on an ad because of relevance and targeting—and likely to have a vulnerable PC.
Moreover, AdGholas used a technique known as steganography (our colleagues at Trend Micro analyse the details).
Steganography hides code within images, text, HTML, and so on to evade detection by traditional means. The practice has legitimate uses in cryptography. But in this case, it was used to deliver malware that went undetected within seemingly benign JavaScript code.
To our knowledge, all AdGholas campaigns are now suspended, thanks to the swift work of the ad industry representatives we contacted. AdGholas and other high-profile actors such as VirtualDonna have shown substantial resilience in their operations; we will continue to monitor this situation.
Although recent changes in the exploit kit landscape suggest a contraction in the drive-by malware scene, AdGholas shows that the threat is not diminishing. Instead, AdGholas is a vivid reminder that attackers continue to evolve. Their increasingly sophisticated techniques enable them to remain stealthy and effective even in the face of the latest defensive advances.
To read more details on this elaborate scheme, check out the Threat Insight post and Trend Micro's blog.